Datica announced its fourth product, the Cloud Compliance Management System (CCMS). The new product completes Datica's suite of offerings focused on the two most difficult technology problems for digital health: cloud compliance and health data interoperability.

The dynamic nature of the cloud has greatly outpaced existing compliance tools available to developers. The modern cloud is no longer simply someone else's computer but is now a constellation of managed services delivered as software that sits on top of the leading cloud service providers, like AWS, Microsoft Azure, and Google Cloud.

API-Driven Continuous Compliance

Current compliance tools available to developers focus on monitoring at the level of the cloud account, including monitoring cloud user-level access and the host (operating system) level. The problem is most developers now rely on managed services, deploying technologies such as AWS Relational Database Service (RDS) or Azure Cosmos DB versus setting up their own databases on virtual machines, for example. Compliance in this new world of cloud managed services is opaque. Cloud account and host-level monitoring are inadequate to reduce organizational risk and ensure compliance.

Datica CCMS fixes that. It empowers developers with the flexibility to use the cloud services of their choice while remaining in compliance. It uses a first-of-its-kind approach to collecting configuration details via APIs from available cloud services, then reports the real-time compliance state back to end-users. The checked configurations are to the exact control specifications of HITRUST CSF v9.1, meaning the configuration states of available services are in compliance with HIPAA, GDPR, and GxP. CCMS users can leverage reports to attest compliance of a given cloud service during an audit or assessment. The totality of cloud compliance coverage is a unique benefit only available from Datica because other monitoring tools only watch access management via security groups or are focused on specific security concepts, like if encryption is turned on. No offering works backward from compliance controls and monitors the configuration states of managed services against the compliance control specification.

"Compliance monitoring tools have not kept pace with the breakneck speed of the cloud, creating roadblocks for developers and new liabilities for enterprises," said Travis Good MD, CoFounder, CEO, and Chief Privacy Officer. "The Datica CCMS is a culmination of our experience with thousands of compliant cloud deployments and working closely with HITRUST as a founding member of their Business Associate Council."

Transparent Compliant Cloud Configurations

To coincide with the product announcement, available today are public configurations for three of the most popular cloud managed database services: Azure Cosmos DB, AWS RDS, and Google Cloud SQL. The Datica Academy now includes step-by-step guides that explain how to configure these services to align with the HITRUST CSF. Every service the CCMS supports in the future will be publicly documented for complete transparency. The reason is straightforward: Healthcare moves at the speed of trust and customers must be able to trust-but-verify that the CCMS is monitoring configurations to the exact specifications of HITRUST. The gesture also extends Datica's commitment to transparency, a central tenet that has guided decision making since its internal compliance policies were open sourced in 2015.

"We don't believe in lock-in. Never have, never will," said Ryan Rich, Chief Product Officer. "Datica's objective is to remove the burden of compliance for developers which starts with education. We're happy to explain how to make every cloud service HITRUST CSF Certified, which will only help healthcare in the long run. Meanwhile, the Datica CCMS will remove the day-to-day burden of continuously monitoring compliance states of cloud services that change frequently while the historical and contextual reporting of those services will save tremendous amounts of time during audits."

While the three cloud service configurations are open and available today at https://datica.com/academy/, the product will be generally available for purchase starting early 2019, with limited availability for customers starting this Fall. Until then, many more configurations will be publicly published. Those interested in being notified of new configurations available can sign up at https://datica.com/ccms/.